[syslog-ng] Can not get DBParse match macro result (syslog-ng 3.13 debian squeeze)

不坏阿峰 onlydebian at gmail.com
Sun Apr 28 18:05:40 CEST 2013


attachment is my current syslog-ng.conf.   and  esxi_pattern.xml.

my syslog-ng receive UDP log from esxi host and try to test the db-parse
and log it.

i have change to <pattern>system</pattern>, but still can not get value
from parse refer macro.

thanks.


2013/4/28 Evan Rempel <erempel at uvic.ca>

> Sorry for not being more clear in my first response.
>
> You have a template of
>
> template("=== $PROGRAM,${.esxi_month} ${.esxi.date} ${.esxi.time} HOSTIP
> ${.esxi.host_ip},${.esxi.message}\n")
>
> When syslog-ng receives a syslog message, it logged it as;
>
> === system,error,critical,   HOST IP ,
>
> This means that $PROGRAM contains "system"
>
> Now for the patterndb part.
>
> The patterndb parser FIRST matches $PROGRAM To the <pattern>XXXX</pattern>
> in the <ruleset>
>
> <?xml version="1.0" encoding="utf-8"?>
> <patterndb version='3' pub_date='2009-04-17'>
>     <ruleset name='esxi' id='123456678'>
>         <pattern>XXXX</pattern>
>
> In your case you have specified <pattern>ESXI</pattern> so the patterndb
> parser will NOT use any
> of your patterndb because it does not match the $PROGRAM
>
> You need to use
>
> ########   esxi_pattern.xml ############
> <?xml version="1.0" encoding="utf-8"?>
> <patterndb version='3' pub_date='2009-04-17'>
> <ruleset name='esxi' id='123456678'>
> <pattern>system</pattern>
> <rules>
> <rule provider='Fone Bro' id='182437592347598' class='esxi'>
> <patterns>
> <pattern>@STRING:.esxi.month:@ @STRING:.esxi.date:@
> @STRING:.esxi.time::@@IPv4:.esxi.host_ip:@
> @ESTRING:.esxi.program::@ @ANYSTRING:.esxi.message@</pattern>
> </patterns>
> </rule>
> </rules>
> </ruleset>
> </patterndb>
>
>
>
> You have not included a complete syslong-ng source line for me to see what
> you are trying to match against so I can
> not tell if you pattern will actually match the lines that you are trying
> to match.
> At my organization we run ESX as well, and none of our lines would match
> the pattern that you have, but
> your environment might be different.
>
> I hope this was more clear.
>
> Evan.
>
>
>
>
> ________________________________________
> From: 不坏阿峰 [onlydebian at gmail.com]
> Sent: Sunday, April 28, 2013 8:24 AM
> To: syslog-ng at lists.balabit.hu; Evan Rempel
> Subject: Re:Can not get DBParse match macro result (syslog-ng 3.13 debian
> squeeze)
>
> thanks to your reply.  i do not understand how to do now. it puzzle and
> trouble me some days.   i read the balabit syslog-ng OSE guide documents
> and only have simple information in there.
>
> how to do on this
> ----->>>>
> If you change the patterndb ruleset pattern to use a program of system
> rather than ESXI I think it would work.
>
>
> 2013/4/28 <syslog-ng-request at lists.balabit.hu<mailto:
> syslog-ng-request at lists.balabit.hu>>
> Send syslog-ng mailing list submissions to
>         syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.balabit.hu/mailman/listinfo/syslog-ng
> or, via email, send a message with subject or body 'help' to
>         syslog-ng-request at lists.balabit.hu<mailto:
> syslog-ng-request at lists.balabit.hu>
>
> You can reach the person managing the list at
>         syslog-ng-owner at lists.balabit.hu<mailto:
> syslog-ng-owner at lists.balabit.hu>
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of syslog-ng digest..."
>
>
> Today's Topics:
>
>    1.  Can not get DBParse match macro result (syslog-ng 3.13
>       debian squeeze) (????)
>    2. Re:  Can not get DBParse match macro result (syslog-ng 3.13
>       debian squeeze) (Evan Rempel)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 27 Apr 2013 22:34:50 +0800
> From: ???? <onlydebian at gmail.com<mailto:onlydebian at gmail.com>>
> Subject: [syslog-ng] Can not get DBParse match macro result (syslog-ng
>         3.13    debian squeeze)
> To: syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>
> Message-ID:
>         <CA+SSH2oBB2-WWvQksbchVVoyhfZbdVvDR=
> V7wJ1EJdvE6Zx9zg at mail.gmail.com<mailto:V7wJ1EJdvE6Zx9zg at mail.gmail.com>>
> Content-Type: text/plain; charset="iso-8859-1"
>
> when use pdbtool do match test, it is success. but from syslog-ng can not
> return result of macro
> i can not get macro result.  for example,   ${.esxi.month}  no value, same
> as ${.esxi.host_ip} ${.esxi.time}
>
> test log output ,just like this.
> === system,error,critical,   HOST IP ,
> === system,error,critical,   HOST IP ,
> === system,error,critical,   HOST IP ,
> === system,error,critical,   HOST IP ,
> === system,error,critical,   HOST IP ,
> === system,error,critical,   HOST IP ,
> === system,error,critical,   HOST IP ,
> === system,error,critical,   HOST IP ,
> === system,error,critical,   HOST IP ,
>
>
> do the pdbtool test, it's ok.  wish someone can give me some solution and
> help. i have search some mail list but i can not get the right solution.
>  thanks a lot.
>
> root at debian:~# pdbtool match -D -c -p
> /etc/syslog-ng/patterndb/esxi_pattern.xml -P ESXI -M "Apr 26 15:17:31
> 192.168.88.71 vmkernel: cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd
> 0x1a (0x4124444a6280, 0) to dev "mpx.vmhba0:C0:T0:L0" on path
> "vmhba0:C0:T0:L0" Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0.
> Act:NONE"
> Pattern matching part:
> @STRING:.esxi.month=Apr@ @STRING:.esxi.date=26@
> @STRING:.esxi.time=15:17:31@@IPv4:.esxi.host_ip=192.168.88.71@
> @ESTRING:.esxi.program=
> vmkernel: cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a
> (0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0
> Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0.
> Act:NONE@@ANYSTRING:.esxi.message=cpu11:8203)NMP:
> nmp_ThrottleLogForDevice:2319: Cmd
> 0x1a (0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0
> Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE@
> Matching part:
> Apr 26 15:17:31 192.168.88.71 vmkernel: cpu11:8203)NMP:
> nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev
> mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0 Failed: H:0x0 D:0x2 P:0x0 Valid
> sense data: 0x5 0x20 0x0. Act:NONE
> Values:
> MESSAGE=Apr 26 15:17:31 192.168.88.71 vmkernel: cpu11:8203)NMP:
> nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev
> mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0 Failed: H:0x0 D:0x2 P:0x0 Valid
> sense data: 0x5 0x20 0x0. Act:NONE
> PROGRAM=ESXI
> .classifier.class=esxi
> .classifier.rule_id=182437592347598
> .esxi.month=Apr
> .esxi.date=26
> .esxi.time=15:17:31
> .esxi.host_ip=192.168.88.71
> .esxi.program= vmkernel
> .esxi.message=cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a
> (0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0
> Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE
> root at debian:~#
>
>
> my configuration like as below
>
> ########   esxi_pattern.xml ############
> <?xml version="1.0" encoding="utf-8"?>
> <patterndb version='3' pub_date='2009-04-17'>
> <ruleset name='esxi' id='123456678'>
> <pattern>ESXI</pattern>
> <rules>
> <rule provider='Fone Bro' id='182437592347598' class='esxi'>
> <patterns>
> <pattern>@STRING:.esxi.month:@ @STRING:.esxi.date:@
> @STRING:.esxi.time::@@IPv4:.esxi.host_ip:@
> @ESTRING:.esxi.program::@ @ANYSTRING:.esxi.message@</pattern>
> </patterns>
> </rule>
> </rules>
> </ruleset>
> </patterndb>
>
> ######## syslog-ng.conf      ########
>
> #####Parser#####
> parser pattern_db {
>         db_parser( file("/etc/syslog-ng/patterndb/esxi_pattern.xml"));
> };
>
> #Check pattern matching
> destination udp_esxi_output {
>    file("/var/log/pattern_output"
>    template("=== $PROGRAM,${.esxi_month} ${.esxi.date} ${.esxi.time} HOST
> IP ${.esxi.host_ip},${.esxi.message}\n")
> template_escape(no));
> };
>
> #####Log#####
> log {
>         source(s_network);
>         parser(pattern_db);
>         destination(udp_esxi_output);
> };
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130427/20e80756/attachment.html
>
> ------------------------------
>
> Message: 2
> Date: Sat, 27 Apr 2013 16:10:02 +0000
> From: Evan Rempel <erempel at uvic.ca<mailto:erempel at uvic.ca>>
> Subject: Re: [syslog-ng] Can not get DBParse match macro result
>         (syslog-ng 3.13 debian squeeze)
> To: "Syslog-ng users' and developers' mailing list"
>         <syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>>
> Message-ID: <q8vb966l4qe0219lsusm5ju4.1367078999747 at email.android.com
> <mailto:q8vb966l4qe0219lsusm5ju4.1367078999747 at email.android.com>>
> Content-Type: text/plain; charset="iso-2022-jp"
>
> It would appear that you have everything correct when the "PROGRAM" is
> ESXI but the log line as syslog-ng sees it has a PROGRAM of "system"
> according to your test log output.
>
> If you change the patterndb ruleset pattern to use a program of system
> rather than ESXI I think it would work.
>
>
> Evan Rempel   250.271.7691<tel:250.271.7691>
> University Systems, University of Victoria
>
> ???? <onlydebian at gmail.com<mailto:onlydebian at gmail.com>> wrote:
>
>
>
> when use pdbtool do match test, it is success. but from syslog-ng can not
> return result of macro
> i can not get macro result.  for example,   ${.esxi.month}  no value, same
> as ${.esxi.host_ip} ${.esxi.time}
>
> test log output ,just like this.
> === system,error,critical,   HOST IP ,
> === system,error,critical,   HOST IP ,
> === system,error,critical,   HOST IP ,
> === system,error,critical,   HOST IP ,
> === system,error,critical,   HOST IP ,
> === system,error,critical,   HOST IP ,
> === system,error,critical,   HOST IP ,
> === system,error,critical,   HOST IP ,
> === system,error,critical,   HOST IP ,
>
>
> do the pdbtool test, it's ok.  wish someone can give me some solution and
> help. i have search some mail list but i can not get the right solution.
>  thanks a lot.
>
> root at debian:~# pdbtool match -D -c -p
> /etc/syslog-ng/patterndb/esxi_pattern.xml -P ESXI -M "Apr 26 15:17:31
> 192.168.88.71 vmkernel: cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd
> 0x1a (0x4124444a6280, 0) to dev "mpx.vmhba0:C0:T0:L0" on path
> "vmhba0:C0:T0:L0" Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0.
> Act:NONE"
> Pattern matching part:
> @STRING:.esxi.month=Apr@ @STRING:.esxi.date=26@@STRING:.esxi.time=15:17:31@@IPv4:.esxi.host_ip=192.168.88.71@@ESTRING:.esxi.program=
> vmkernel: cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a
> (0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0
> Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE@@ANYSTRING:.esxi.message=cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd
> 0x1a (0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0
> Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE@
> Matching part:
> Apr 26 15:17:31 192.168.88.71 vmkernel: cpu11:8203)NMP:
> nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev
> mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0 Failed: H:0x0 D:0x2 P:0x0 Valid
> sense data: 0x5 0x20 0x0. Act:NONE
> Values:
> MESSAGE=Apr 26 15:17:31 192.168.88.71 vmkernel: cpu11:8203)NMP:
> nmp_ThrottleLogForDevice:2319: Cmd 0x1a (0x4124444a6280, 0) to dev
> mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0 Failed: H:0x0 D:0x2 P:0x0 Valid
> sense data: 0x5 0x20 0x0. Act:NONE
> PROGRAM=ESXI
> .classifier.class=esxi
> .classifier.rule_id=182437592347598
> .esxi.month=Apr
> .esxi.date=26
> .esxi.time=15:17:31
> .esxi.host_ip=192.168.88.71
> .esxi.program= vmkernel
> .esxi.message=cpu11:8203)NMP: nmp_ThrottleLogForDevice:2319: Cmd 0x1a
> (0x4124444a6280, 0) to dev mpx.vmhba0:C0:T0:L0 on path vmhba0:C0:T0:L0
> Failed: H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0. Act:NONE
> root at debian:~#
>
>
> my configuration like as below
>
> ########   esxi_pattern.xml ############
> <?xml version="1.0" encoding="utf-8"?>
> <patterndb version='3' pub_date='2009-04-17'>
> <ruleset name='esxi' id='123456678'>
> <pattern>ESXI</pattern>
> <rules>
> <rule provider='Fone Bro' id='182437592347598' class='esxi'>
> <patterns>
> <pattern>@STRING:.esxi.month:@ @STRING:.esxi.date:@ @STRING:.esxi.time::@@IPv4:.esxi.host_ip:@
> @ESTRING:.esxi.program::@ @ANYSTRING:.esxi.message@</pattern>
> </patterns>
> </rule>
> </rules>
> </ruleset>
> </patterndb>
>
> ######## syslog-ng.conf      ########
>
> #####Parser#####
> parser pattern_db {
>         db_parser( file("/etc/syslog-ng/patterndb/esxi_pattern.xml"));
> };
>
> #Check pattern matching
> destination udp_esxi_output {
>    file("/var/log/pattern_output"
>    template("=== $PROGRAM,${.esxi_month} ${.esxi.date} ${.esxi.time} HOST
> IP ${.esxi.host_ip},${.esxi.message}\n")
> template_escape(no));
> };
>
> #####Log#####
> log {
>         source(s_network);
>         parser(pattern_db);
>         destination(udp_esxi_output);
> };
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130427/2f67c039/attachment-0001.htm
>
> ------------------------------
>
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu<mailto:
> syslog-ng at lists.balabit.hu>
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>
>
> End of syslog-ng Digest, Vol 96, Issue 25
> *****************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130429/3acd74c2/attachment-0001.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: syslog-ng.conf
Type: application/octet-stream
Size: 7434 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130429/3acd74c2/attachment-0001.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: esxi_pattern.xml
Type: text/xml
Size: 434 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130429/3acd74c2/attachment-0001.bin 


More information about the syslog-ng mailing list